Inetone: ABAP OAuth

Dies ist Version . Es handelt sich nicht um die aktuelle Version und kann folglich auch nicht geändert werden.

[Zurück zur aktuellen Version][Diese Version wiederherstellen]

Inhaltsverzeichnis

Connecting SAP SuccessFactors Using an OAuth 2.0 Client (OA2CS)
certificates / communication
OAuth configuration
Modifications
Connection Test
Successfactors auth endpoints
Trace
Issues
Enable SAML button
400 "Invalid SAML assertion. For the correct SAML assertion format.."
401 "Unable to verify the signature of the SAML assertion. Please ensure that the assertion has a signature and the key pairs match the client ID."
401 Unable to authenticate the client (Login failed - invalid user)
SAML 2.0 for OAuth 2.0 client is disabled.

Connecting SAP SuccessFactors Using an OAuth 2.0 Client (OA2CS)#

Follow
SIMG > ABAP Platform > Application Server > Basis Services > Communication Interfaces
> OAuth 2.0 Client Implementation for SAP SuccessFactors Integration

The default implementation allows only a connection to ONE SuccessFactors instance.
Then you can use the existing objects.

This ones decribes how to create custom objects for multiple instances.

certificates / communication#

1. Configure Proxy Settings
x.SICF > F8 > Menu > Client > Proxy Settings

> HTTPS Protocol = <host>:<port> SKIPPED !!!
> Global Settings > Set Active SKIPPED !!!

OAuth configuration#

OAuth profile, default "SUCCESSFACTORS", use SE80 > Create > Others > OAuth 2.0 Client Profile (t.OA2C_PROFILES)
Application ID, default "DEFAULT", x.CLB2_APPLI
Provider type, default "SuccessFactors", x.CLB2_PTYPE (SM30 > CLB2V_PTYPE)
Application Server Assignment, default "DEFAULT", SM34 > CLB2VC_APPLI_PLATF <= here we have the OAuth App ID and the companyId
Server Communication, default "SuccessFactors", SM34 > CLB2VC_PLATF (SM30 > CLB2V_PLATF), make sure to fill also the "Authentication Methods" like USER
Server, default "SuccessFactors", SM34 > CLB2VC_PLATF_DEF
Application Settings" for each instance with SM30 > CLB2V_APPL_DATA
Parameters for each instance with SM30 > CLB2V_APPL_EXT, here we have company_id

x. OA2C_CONFIG (t.oa2c_client)

<sf_host>/oauth/token
form, header, current, SAML
www.successfactors.com
998

Modifications#

Whenever you choose to create SAML a new STRUST is created: "SSF OAuth2 Client Identity Provider - Signature" (x.SSFA) table SSFAPPLIC <==== > Create entry with r.ZMDW_TEST

Note: use always same case to avoid mixing up at all artifacts: Profile, Type, Application ID, Service Provider Type, SSF ID, Server

CL_OA2C_SPECIFICS_DEFAULT
CL_OA2C_CONFIG_EXT_DEFAULT

BADI Definition:	OA2C_SPECIFICS_BADI_DEF
BADI Implementation:	SMI_OA2C_SPEC_SFSF_BIZX				
Filter Value:		SUCCESSFACTORS
Implementation Class:	CL_SMI_OA2C_SPEC_SFSF	=> copied to ZCL_SMI_OA2C_SPEC_SFSF_CD
						=> exchange all references from class CL_SMI_OA2C_CONFIG_SFSF to ZCL_SMI_OA2C_CONFIG_SFSF_CD
						=> edit method IF_OA2C_SPECIFICS~GET_CONFIG_EXTENSION (replace R_CONFIG_EXTENSION name)
						
BADI Definition:	OA2C_CONFIG_EXTENSION_BADI_DEF
BAdI Implementation:	SMI_OA2C_CONFIG_SFSF_BIZX
Filter Value:		SUCCESSFACTORS
Implementation Class:	CL_SMI_OA2C_CONFIG_SFSF => copied to ZCL_SMI_OA2C_CONFIG_SFSF_CD
						=> update attributes GC_APPLICATION and GC_SMI_SP_SFSF
						
SE18 > BAdI OA2C_CONFIG_EXTENSION_BADI_DEF 
	> Right-Click > Create implementation > ei.Z_SMI_OA2C_SPEC_SFSF_BIZX_CD
	> bi.Z_SMI_OA2C_SPEC_SFSF_CD
	> assign class from above and add filter

SE18 > BAdI OA2C_SPECIFICS_BADI_DEF 
	> Right-Click > Create implementation > ei.Z_SMI_OA2C_CONFIG_SFSF_CD
	> bi.Z_SMI_OA2C_CONFIG_SFSF_BIZX_CD
	> assign class from above and add filter

Connection Test#

r.RCLB2_DEMO_GENERIC

Choose your Service Provider Type and Application ID
Request Method: HTTP Get (GET)
Manually Entered Endpoint
- Endpoint: /odata/v2/FODivision/
- Authentication Context: User Context (USER)

Successfactors auth endpoints#

The first is not secure anymore and should not be used anymore.

/oauth/idp
	parameters: 
		client_id
		user_id
		private_key
		token_url
		use_email
		use_username  <=== true
/oauth/token
	parameters:
		company_id
		client_id
		grant_type
		assertion
		new_token	<=== true

Trace#

/usr/sap/DMD/D11/work/dev_w* (work process traces) => search for "OA2C"

Issues#

Enable SAML button#

OA2C_CONFIG > reenable/toggle "SAML 2.0 Disabled" is creating a new certificate at STRUST "SSF OAuth2 Client Identity Provider - Signature", but not if just edited- Then you need to copy the STRUST certificate to SF again!.

400 "Invalid SAML assertion. For the correct SAML assertion format.."#

x.OA2C_CONFIG press button "Delete SAML 2.0 Settings" Then reenable SAML 2.0 by pressing the toggle button "SAML 2.0 Disabled".
to use username from DMD use 999 in OA2C_CONFIG => SEE below for use_username = true

401 "Unable to verify the signature of the SAML assertion. Please ensure that the assertion has a signature and the key pairs match the client ID."#

wrong certificate in SF OAuth => use the one from STRUST "SSF OAuth2 Client Identity Provider - Signature"

401 Unable to authenticate the client (Login failed - invalid user)#

see https://me.sap.com/notes/2668018/E

Test: CL_OA2C_SAML20_ASSERTION->BUILD_NAME_ID() > at line 25 es_saml20_name_id-_value = sy-uname. > replace with userId
the SF login expects the userId though you configured and pass the username

SAML 2.0 for OAuth 2.0 client is disabled.#

visible at exception in CL_OA2C_CLIENT->IF_OAUTH2_CLIENT~EXECUTE_SAML20_FLOW() line 174
OA2C_CONFIG > reenable/toggle with "SAML 2.0 Disabled"